Please ensure Javascript is enabled for purposes of website accessibility
We Are Closed
0191 262 0444

Subject Access Request Policy

Published on: 28 Mar 2025

Subject Access Request Policy

Purpose 

This policy outlines the procedure for handling Subject Access Requests (SARs) in compliance with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. It ensures that patients can access their personal data while maintaining the practice’s operational efficiency. 

Scope 

This policy applies to all staff members involved in processing SARs at Walker Medical Group. 

Policy Statement 

Patients have the right to access their personal data held by the practice. This policy sets out the process for requesting access and the associated fees for printed reports. 

Procedure 

  1. Request Submission: 
  • Patients must submit a written request for access to their medical records. This can be done via email, post, or in person at the practice. 
  • The request should include the patient’s full name, date of birth, and contact information. 
  1. Who can make SAR requests: 
  • A Subject Access Request (SAR) can be made by: 
  • The Individual: The person whose data is held by the practice has the right to request access to their own personal data. 
  • A Third Party with Consent: Someone else can make a SAR on behalf of the individual if they have the individual’s explicit consent. This is often the case with carers or legal representatives. 
  • A Parent or Guardian: For children under the age of 16, a parent or guardian can request access to the child’s records. However, if the child is deemed competent to make their own decisions, they may need to provide consent. 
  • A Legal Representative: Solicitors or other legal representatives can request access on behalf of their clients, provided they have the necessary authorisation. 
  • A Person with Power of Attorney: If someone holds a power of attorney for health and welfare, they can request access to the individual’s medical records. 
  1. Verification: 
  • Upon receiving a request, the practice will verify the identity of the requester to ensure data protection. This may involve requesting additional identification documents. 
  1. Response Time: 
  • The practice will respond to SARs within one month of receipt (28 working days). This period may be extended by a further two months for complex requests, with the patient being informed of the extension and the reasons for it. 
  1. Provision of Records: 
  • Records will be provided in a secure format electronically subject to change. 
  • The practice will ensure that any third-party information and safeguarding relevant material is redacted before release. 
  • Records will be provided to the data subject only; please note if the request is solicitor generated then the data subject will be the recipient unless there are exceptional circumstances such as individual who lacks capacity. 
  1. Exemptions: 
  • The practice may refuse to provide access to certain information if it is deemed to cause harm to the patient or others, or if it includes third-party data without consent. Safeguarding relevant information will also be redacted. 
  1. Complaints: 
  • Patients who are dissatisfied with the handling of their SAR can submit a complaint to the practice manager. If unresolved, they may contact the Information Commissioner’s Office (ICO). 
Share via
Facebook
X (Twitter)
LinkedIn
Mix
Email
Print
Copy Link
Copy link
CopyCopied